Requirement Statement:
I want to disable the “Credentials” tab in Keycloak for all users, including administrators, so that no one can set or reset user passwords directly from the Admin Console. Currently, the Admin Console displays a “Credentials” tab for every user, allowing administrators (and any role with the manage-users permission) to set or reset user passwords. To adhere to our security policies, we must remove or hide this tab across the Admin Console for all roles.
Importantly, this change applies only to the Admin Console. The ability for end-users to reset their passwords via the “Forgot password” link (using an email link) will still be available.
Objective:
- The “Credentials” tab must be completely hidden or disabled for every user and role in the Admin Console.
- Password resets can only occur via the end-users’ self-service flow (using the email link), ensuring that administrators can no longer set or reset passwords from within the Admin Console.